CN115603973B

CN115603973B - Heterogeneous security monitoring method and system based on government information network

Info

Publication number: CN115603973B
Application number: CN202211208562.6A
Authority: CN
Inventors: 文鹏; 金林君; 吴俊桥; 徐永为; 郑少秋
Original assignee: Zhejiang Dianke Zhisheng Technology Co ltd
Current assignee: Zhejiang Dianke Zhisheng Technology Co ltd
Priority date: 2022-09-30
Filing date: 2022-09-30
Publication date: 2023-04-25
Anticipated expiration: 2042-09-30
Also published as: CN115603973A

Abstract

The invention provides a heterogeneous security monitoring method and system based on a government information network, and relates to the technical field of data processing. In the invention, corresponding operation log data are respectively extracted from each target government information processing device; according to the device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters included in the operation log data, and combining the time correlation relationship between the time periods corresponding to the device access behavior clusters, carrying out knowledge graph construction processing to form access behavior knowledge graphs corresponding to all the device access behavior clusters included in the operation log data; and performing behavior security analysis processing on the access behavior knowledge graph by using the access security detection neural network model so as to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system. Based on the above, the problem of low reliability of the behavioral safety analysis in the prior art can be improved.

Description

Heterogeneous security monitoring method and system based on government information network

Technical Field

The invention relates to the technical field of data processing, in particular to a heterogeneous security monitoring method and system based on a government information network.

Background

Heterogeneous networks (Heterogeneous Network) are a type of network that is made up of computers, network devices and systems produced by different manufacturers, most often operating on different protocols to support different functions or applications. Different types of networks are connected to a core network through a gateway and finally connected to an Internet network, and finally integrated into a whole. An important issue with heterogeneous network convergence is how these networks are interconnected, providing a unified management platform for heterogeneous wireless network resources. The security of the heterogeneous network is improved due to the fact that the operation mechanisms of the devices are different. Therefore, the method is applied to a plurality of applications, such as government information networks, and in addition, based on certain requirements, the access behaviors suffered by the devices in the networks need to be analyzed to determine the security degree. However, in the prior art, the respective devices in the network are generally individually analyzed, and a problem of low reliability is likely to occur.

Disclosure of Invention

In view of the above, the present invention aims to provide a heterogeneous security monitoring method and system based on government information network, so as to solve the problem of low reliability of behavioral security analysis.

In order to achieve the above purpose, the embodiment of the present invention adopts the following technical scheme:

a heterogeneous security monitoring method based on government information network comprises the following steps:

respectively extracting operation log data corresponding to each target government information processing device from each target government information processing device included in the target government information network heterogeneous system, wherein the operation log data comprises a plurality of corresponding device access behavior clusters formed based on device access behaviors received by the corresponding target government information processing device in a plurality of time periods, each device access behavior cluster comprises at least one device access behavior performed by at least one data access device in one time period, and the target government information network heterogeneous system comprises a plurality of target government information processing devices;

according to the device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters, and in combination with the time correlation relationship between the time periods corresponding to the device access behavior clusters, carrying out knowledge graph construction processing on the device access behavior clusters to form all access behavior knowledge graphs corresponding to all the device access behavior clusters included in all the operation log data;

And performing behavior security analysis processing on the access behavior knowledge graph by using an access security detection neural network model to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system, wherein the target behavior security analysis result is used for reflecting the system network security degree of the target government information network heterogeneous system.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of extracting, from each target government information processing device included in the heterogeneous system of the target government information network, operation log data corresponding to each target government information processing device includes:

extracting original operation log data corresponding to each target government information processing device from each target government information processing device included in the target government information network heterogeneous system respectively;

and respectively carrying out data analysis processing on the original operation log data corresponding to each target government information processing device according to the data analysis rule corresponding to each target government information processing device so as to obtain the original operation log data corresponding to each target government information processing device.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of constructing a knowledge graph of the equipment access behavior cluster according to the equipment correlation between the target government information processing equipment corresponding to the equipment access behavior cluster and in combination with the time correlation between the time periods corresponding to the equipment access behavior cluster, so as to form an access behavior knowledge graph corresponding to all the equipment access behavior clusters included in all the running log data includes:

for each two target government information processing devices, analyzing and processing data interaction behaviors between the two target government information processing devices to output a first device correlation relationship between the two target government information processing devices, performing coincidence analysis and processing on data access devices corresponding to the two target government information processing devices to output a second device correlation relationship between the two target government information processing devices, merging the first device correlation relationship and the second device correlation relationship, and outputting a target device correlation relationship between the two target government information processing devices;

Taking the target device correlation between the target government information processing devices corresponding to the device access behavior clusters as a first analysis dimension, taking the time correlation between time periods corresponding to the device access behavior clusters as a second analysis dimension, respectively determining two-dimensional distribution coordinates corresponding to each device access behavior cluster according to the first analysis dimension and the second analysis dimension, and taking the two-dimensional distribution coordinates corresponding to each device access behavior cluster as a knowledge graph position in an access behavior knowledge graph to be constructed so as to construct all access behavior knowledge graphs corresponding to all device access behavior clusters included in all running log data.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of performing a behavioral security analysis process on the access behavioral knowledge graph by using an access security detection neural network model to determine a target behavioral security analysis result corresponding to the target government information network heterogeneous system includes:

the method comprises the steps of taking access behavior intention data in the access behavior knowledge graph as a processing basis, carrying out information extraction processing on the access behavior knowledge graph to form a plurality of access behavior knowledge graph areas corresponding to the access behavior knowledge graph, wherein the access behavior intention data is obtained by analyzing equipment access behavior clusters in the access behavior knowledge graph, and the distribution state of the access behavior intention data and the information extraction processing times have a corresponding correlation;

Performing salient feature mining processing on the access behavior knowledge graph areas according to a first salient feature analysis rule and a second salient feature analysis rule which are configured in advance by utilizing the access security detection neural network model so as to output salient feature mining results corresponding to the access behavior knowledge graph areas, wherein the first salient feature analysis rule is provided with a non-variable detection frame, and the second salient feature analysis rule is provided with a variable detection frame;

performing salient feature mining reverse processing on salient feature mining results corresponding to the access behavior knowledge graph regions to form updated access behavior knowledge graph regions corresponding to the access behavior knowledge graph regions, wherein each updated access behavior knowledge graph region carries behavior security identification information;

performing security analysis processing according to the updated access behavior knowledge graph regions corresponding to the access behavior knowledge graph regions, so as to output region-level behavior security analysis results corresponding to each access behavior knowledge graph region;

and carrying out behavior security analysis processing on the access behavior knowledge graph according to the regional behavior security analysis result corresponding to each access behavior knowledge graph region so as to output a target behavior security analysis result corresponding to the access behavior knowledge graph as a target behavior security analysis result corresponding to the target government information network heterogeneous system.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of performing information extraction processing on the access behavior knowledge graph by using the access behavior intention data in the access behavior knowledge graph as a processing basis to form a plurality of access behavior knowledge graph regions corresponding to the access behavior knowledge graph includes:

performing access behavior intention data mining processing on the access behavior knowledge graph to output an access behavior intention data distribution network corresponding to the access behavior knowledge graph, wherein the access behavior intention data distribution network is used for reflecting the distribution state of the access behavior intention data of each graph point in the access behavior knowledge graph;

analyzing and outputting the number of times of information extraction processing of the corresponding map points according to the distribution state of the access behavior intention data of each map point in the access behavior intention data distribution network;

and carrying out information extraction processing on the access behavior knowledge graph according to the times of the information extraction processing so as to form a plurality of access behavior knowledge graph areas corresponding to the access behavior knowledge graph.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of performing a behavioral security analysis process on the access behavior knowledge graph according to the regional behavioral security analysis result corresponding to each access behavior knowledge graph region, so as to output a target behavioral security analysis result corresponding to the access behavior knowledge graph, as a target behavioral security analysis result corresponding to the target government information network heterogeneous system, includes:

Analyzing and outputting a region number ratio corresponding to each region-level behavior safety analysis result according to the region statistical number of the access behavior knowledge graph region corresponding to each region-level behavior safety analysis result;

and carrying out behavior security analysis processing on the access behavior knowledge graph according to the region number ratio corresponding to each region-level behavior security analysis result so as to output a target behavior security analysis result corresponding to the access behavior knowledge graph as a target behavior security analysis result corresponding to the target government information network heterogeneous system.

In some preferred embodiments, in the heterogeneous security monitoring method based on government information network, the step of updating and forming the access security detection neural network model includes:

the method comprises the steps of taking access behavior intention data in an extracted typical access behavior knowledge graph as a processing basis, carrying out information extraction processing on the typical access behavior knowledge graph to form a plurality of typical access behavior knowledge graph areas corresponding to the typical access behavior knowledge graph, wherein the typical access behavior knowledge graph carries typical behavior safety analysis results, the access behavior intention data is obtained by analyzing equipment access behavior clusters in the typical access behavior knowledge graph, and a corresponding correlation exists between the distribution state of the access behavior intention data and the information extraction processing times;

Analyzing and outputting typical behavior security identification information in each typical access behavior knowledge graph region according to region distribution information of the plurality of typical access behavior knowledge graph regions in the typical access behavior knowledge graph and a pre-configured behavior security identification information network, wherein the behavior security identification information network is used for reflecting behavior security identification information of each graph region in the typical access behavior knowledge graph;

performing salient feature mining processing on the plurality of typical access behavior knowledge graph areas according to a first salient feature analysis rule and a second salient feature analysis rule which are configured in advance by using an initial access security detection neural network model to be updated so as to output salient feature mining results corresponding to the plurality of typical access behavior knowledge graph areas;

performing salient feature mining reverse processing on salient feature mining results corresponding to the plurality of typical access behavior knowledge graph regions to form typical update access behavior knowledge graph regions corresponding to the plurality of typical access behavior knowledge graph regions, wherein each typical update access behavior knowledge graph region carries behavior security identification information;

Performing security analysis processing according to the typical updated access behavior knowledge graph regions corresponding to the plurality of typical access behavior knowledge graph regions, so as to output region-level behavior security analysis results corresponding to each typical access behavior knowledge graph region;

performing behavior security analysis processing on the typical access behavior knowledge graph according to the regional behavior security analysis result corresponding to each typical access behavior knowledge graph region so as to output a target behavior security analysis result corresponding to the typical access behavior knowledge graph;

and updating the access security detection neural network model to be updated according to the behavior security identification information carried in each typical updating access behavior knowledge graph region, the typical behavior security identification information in each typical access behavior knowledge graph region, the target behavior security analysis result of the typical access behavior knowledge graph and the typical behavior security analysis result, so as to obtain a corresponding access security detection neural network model.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of updating the access security detection neural network model to be updated according to the behavior security identification information carried in each of the typical updated access behavior knowledge graph areas, the typical behavior security identification information in each of the typical access behavior knowledge graph areas, the target behavior security analysis result of the typical access behavior knowledge graph, and the typical behavior security analysis result, includes:

Analyzing and outputting corresponding identification information analysis errors according to the behavior security identification information carried in each typical updating access behavior knowledge graph region and the typical behavior security identification information in the corresponding typical access behavior knowledge graph region;

analyzing and outputting corresponding safety result analysis errors according to the target behavior safety analysis result of the typical access behavior knowledge graph and the typical behavior safety analysis result;

updating the access security detection neural network model to be updated according to the identification information analysis error and the security result analysis error to obtain an access security detection neural network model corresponding to the access security detection neural network model to be updated.

In some preferred embodiments, in the heterogeneous security monitoring method based on a government information network, the step of analyzing and outputting analysis errors of the corresponding identification information according to the behavior security identification information carried in each of the typical updated access behavior knowledge graph areas and the typical behavior security identification information in the corresponding typical access behavior knowledge graph area includes:

analyzing and outputting corresponding first type identification information analysis errors according to a preset first error analysis function according to the behavior security identification information carried in each typical updating access behavior knowledge graph region and the typical behavior security identification information in the corresponding typical access behavior knowledge graph region;

Analyzing and outputting corresponding second type identification information analysis errors according to a second error analysis function which is preset according to behavior safety identification information carried in each typical updating access behavior knowledge graph region and typical behavior safety identification information in the corresponding typical access behavior knowledge graph region, wherein the second error analysis function is different from the first error analysis function;

and fusing the first type identification information analysis errors and the second type identification information analysis errors to output corresponding identification information analysis errors.

The embodiment of the invention also provides a heterogeneous safety monitoring system based on the government information network, which comprises a processor and a memory, wherein the memory is used for storing a computer program, and the processor is used for executing the computer program so as to realize the heterogeneous safety monitoring method based on the government information network.

The heterogeneous security monitoring method and system based on the government affair information network provided by the embodiment of the invention comprise the steps of firstly, respectively extracting corresponding operation log data from each target government affair information processing device; according to the device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters included in the operation log data, and combining the time correlation relationship between the time periods corresponding to the device access behavior clusters, carrying out knowledge graph construction processing to form access behavior knowledge graphs corresponding to all the device access behavior clusters included in the operation log data; and performing behavior security analysis processing on the access behavior knowledge graph by using the access security detection neural network model so as to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system. Based on the steps, as all equipment access behaviors included in the target government information network heterogeneous system are integrated through the knowledge graph, the analysis basis is sufficient, and therefore the problem of low reliability of behavior security analysis in the prior art is solved.

In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.

Drawings

Fig. 1 is a block diagram of a heterogeneous security monitoring system based on a government information network according to an embodiment of the present invention.

Fig. 2 is a schematic flow chart of steps included in a heterogeneous security monitoring method based on a government information network according to an embodiment of the present invention.

Fig. 3 is a schematic diagram of each module included in a heterogeneous security monitoring device based on a government information network according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.

Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

As shown in fig. 1, the embodiment of the invention provides a heterogeneous security monitoring system based on a government information network. Wherein the heterogeneous security monitoring system may include a memory and a processor.

Optionally, in some detailed embodiments, the memory and the processor are electrically connected directly or indirectly to enable transmission or interaction of data. For example, electrical connection may be made to each other via one or more communication buses or signal lines. The memory may have stored therein at least one software functional module (computer program) that may be present in the form of software or firmware. The processor may be configured to execute the executable computer program stored in the memory, so as to implement the heterogeneous security monitoring method based on the government information network provided by the embodiment of the present invention.

Alternatively, in some detailed embodiments, the Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), and the like. The processor may be a general purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a System on Chip (SoC), etc.; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

Alternatively, in some detailed embodiments, the heterogeneous security monitoring system based on government information networks may be a server with data processing capabilities.

With reference to fig. 2, the embodiment of the invention further provides a heterogeneous security monitoring method based on the government information network, which can be applied to the heterogeneous security monitoring system based on the government information network. The method steps defined by the flow related to the heterogeneous security monitoring method based on the government information network can be realized by the heterogeneous security monitoring system based on the government information network.

The specific flow shown in fig. 2 will be described in detail.

Step 110, extracting operation log data corresponding to each target government information processing device from each target government information processing device included in the target government information network heterogeneous system.

In the embodiment of the invention, the heterogeneous security monitoring system can respectively extract the operation log data corresponding to each target government information processing device from each target government information processing device included in the target government information network heterogeneous system. The running log data comprises a plurality of corresponding device access behavior clusters formed based on device access behaviors received by corresponding target government information processing devices in a plurality of time periods, each device access behavior cluster comprises at least one device access behavior (all the received device access behaviors or part of all the device access behaviors screened out) performed by at least one data access device in one time period, and the target government information network heterogeneous system comprises a plurality of target government information processing devices.

And 120, carrying out knowledge graph construction processing on the equipment access behavior clusters according to the equipment correlation among the target government information processing equipment corresponding to the equipment access behavior clusters and combining the time correlation among the time periods corresponding to the equipment access behavior clusters so as to form all access behavior knowledge graphs corresponding to all the equipment access behavior clusters included in all the operation log data.

In the embodiment of the invention, the heterogeneous security monitoring system can perform knowledge graph construction processing on the equipment access behavior clusters according to the equipment correlation relationship between the target government information processing equipment corresponding to the equipment access behavior clusters and in combination with the time correlation relationship between the time periods corresponding to the equipment access behavior clusters so as to form access behavior knowledge graphs corresponding to all the equipment access behavior clusters included in all the running log data (in the access behavior knowledge graphs, one graph member corresponds to one equipment access behavior cluster).

And 130, performing behavior security analysis processing on the access behavior knowledge graph by using an access security detection neural network model to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system.

In the embodiment of the invention, the heterogeneous security monitoring system can utilize an access security detection neural network model to conduct behavior security analysis processing on the access behavior knowledge graph so as to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system. The target behavior security analysis result is used for reflecting the system network security degree (namely the security reliability degree) of the target government information network heterogeneous system.

Based on the foregoing steps, such as step 110, step 120 and step 130, since all the device access behaviors included in the heterogeneous system of the target government information network are integrated through the knowledge graph, the analysis basis is sufficient, and the reliability of the behavior safety analysis can be improved to a certain extent, so that the problem of low reliability of the behavior safety analysis in the prior art is solved.

Optionally, step 110, in some detailed embodiments, includes the following:

According to the data analysis rule (which may include, but is not limited to, decryption processing, that is, the original running log data may be encrypted data, and decryption modes of different target government information processing devices are different) corresponding to each target government information processing device, data analysis processing is performed on the original running log data corresponding to each target government information processing device, so as to obtain the original running log data corresponding to each target government information processing device.

Optionally, step 120, in some detailed embodiments, includes the following:

for each two target government information processing devices, analyzing and processing data interaction behaviors between the two target government information processing devices to output a first device correlation relationship between the two target government information processing devices (for example, the more frequent the data interaction behaviors are, the higher the correlation degree of the corresponding first device correlation relationship is, and/or the larger the data volume of the data interaction behaviors is, the higher the correlation degree of the corresponding first device correlation relationship is), then performing coincidence analysis processing on the data access devices corresponding to the two target government information processing devices to output a second device correlation relationship between the two target government information processing devices (for example, the greater the coincidence degree between the data access devices is, the higher the correlation degree of the corresponding second device correlation relationship is), and fusing the first device correlation relationship and the second device correlation relationship (for example, performing calculation processing such as weighted summation) to output the target device correlation relationship between the two target government information processing devices;

Taking the target device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters as a first analysis dimension, taking the time correlation relationship between time periods corresponding to the device access behavior clusters as a second analysis dimension, respectively determining two-dimensional distribution coordinates corresponding to each device access behavior cluster according to the first analysis dimension and the second analysis dimension, taking the two-dimensional distribution coordinates corresponding to each device access behavior cluster as knowledge map positions in an access behavior knowledge map to be constructed, and constructing access behavior knowledge maps corresponding to all device access behavior clusters included in all running log data (based on the first analysis dimension and the second analysis dimension, the correlation degree of correlation characterization of two similar two knowledge map positions in the first analysis dimension and the second analysis dimension of the two device access behavior clusters is higher, otherwise, the correlation degree of correlation relationship characterization of two device access behaviors corresponding to two mutually distant knowledge positions in the first analysis dimension and/or the second analysis dimension is not higher).

Optionally, step 130, in some detailed embodiments, includes the following:

the method comprises the steps of taking the access behavior intention data in the access behavior knowledge graph as a processing basis, carrying out information extraction processing on the access behavior knowledge graph to form a plurality of access behavior knowledge graph areas corresponding to the access behavior knowledge graph, wherein the access behavior intention data is obtained by analyzing equipment access behavior clusters in the access behavior knowledge graph, the distribution state of the access behavior intention data and the number of information extraction processing have a corresponding correlation (exemplarily, the access behavior intention data in the access behavior knowledge graph is used for reflecting the content in the access behavior knowledge graph, and the distribution state of the access behavior intention data at different positions in the access behavior knowledge graph can be different based on equipment access behavior clusters in the access behavior knowledge graph, for example, in the access behavior knowledge graph, the access behavior intention data at the position with abnormal equipment access behaviors is more concentrated than the access behavior data at the position with non-abnormal equipment access behaviors, that is, for example, the data objects of a series of equipment access behaviors can be consistent, that is, the data of the equipment access behaviors at the position with abnormal equipment access behaviors can be more concentrated than the access behavior data at the position with abnormal equipment access behaviors can be more than the data at the position with abnormal equipment access behaviors at the position with abnormal equipment access behaviors, combining the two dimensions);

performing a salient feature mining reverse process on salient feature mining results corresponding to the plurality of access behavior knowledge graph regions to form updated access behavior knowledge graph regions corresponding to the plurality of access behavior knowledge graph regions, wherein each updated access behavior knowledge graph region carries behavior security identification information (that is, a processing procedure of the salient feature mining reverse process and a processing procedure of the salient feature mining process can be opposite, so that only the processing procedure of the salient feature mining reverse process is explained later;

According to the updated access behavior knowledge graph regions corresponding to the access behavior knowledge graph regions, performing security analysis processing on the access behavior knowledge graph regions, and outputting region-level behavior security analysis results corresponding to each access behavior knowledge graph region (the updated access behavior knowledge graph regions corresponding to the access behavior knowledge graph regions carry behavior security identification information corresponding to each device access behavior cluster in the access behavior knowledge graph regions; in this way, security analysis processing can be performed on the access behavior knowledge graph regions according to the behavior security identification information corresponding to each device access behavior cluster in the access behavior knowledge graph regions carried in the updated access behavior knowledge graph regions, wherein the access behavior knowledge graph regions with different behavior security identification information correspond to different region-level behavior security analysis results;

and carrying out behavior security analysis processing on the access behavior knowledge graph according to the regional behavior security analysis result corresponding to each access behavior knowledge graph region so as to output a target behavior security analysis result corresponding to the access behavior knowledge graph as a target behavior security analysis result corresponding to the target government information network heterogeneous system (namely, the regional behavior security analysis result corresponding to a plurality of access behavior knowledge graph regions can be synthesized to form a target behavior security analysis result of the access behavior knowledge graph as a whole).

Optionally, the step of performing information extraction processing on the access behavior knowledge graph by using the access behavior intention data in the access behavior knowledge graph as a processing basis to form a plurality of access behavior knowledge graph regions corresponding to the access behavior knowledge graph includes the following in some detailed embodiments:

performing access behavior intention data mining processing on the access behavior knowledge graph to output an access behavior intention data distribution network corresponding to the access behavior knowledge graph, wherein the access behavior intention data distribution network is used for reflecting the distribution state of the access behavior intention data of each graph point in the access behavior knowledge graph (as described above, the distribution state can be determined according to data objects and/or behavior quantity);

and performing information extraction processing on the access behavior knowledge graph according to the times of the information extraction processing to form a plurality of access behavior knowledge graph areas corresponding to the access behavior knowledge graph (illustratively, the greater the times of the information extraction processing are, the greater the frequency of the information extraction processing is in the corresponding area, the greater the number of the formed access behavior knowledge graph areas is, for example, the access behavior knowledge graph can be divided into a plurality of initial access behavior knowledge graph areas in advance, and then the information extraction processing is performed on the initial access behavior knowledge graph areas according to the average value of the times of the information extraction processing of each graph point included in the initial access behavior knowledge graph areas to form at least one access behavior knowledge graph area corresponding to the initial access behavior knowledge graph area).

Optionally, the step of performing salient feature mining processing on the multiple access behavior knowledge graph areas according to a first salient feature analysis rule and a second salient feature analysis rule that are configured in advance by using the access security detection neural network model to output salient feature mining results corresponding to the multiple access behavior knowledge graph areas includes the following in some detailed embodiments:

for one access behavior knowledge graph region (may be any one, the process of the significance feature mining processing of each access behavior knowledge graph region may be consistent), performing region segmentation processing (may be any segmentation, such as equal-size segmentation, or may be segmentation according to the correlation between the data of each graph point in the access behavior knowledge graph region, which is not limited in detail herein) on the access behavior knowledge graph region so as to form a plurality of access behavior knowledge graph subregions corresponding to the access behavior knowledge graph region;

the method comprises the steps of mining area behavior representing information of a plurality of access behavior knowledge graph subareas, determining the area behavior representing information of the plurality of access behavior knowledge graph subareas based on the access behavior representing information of the plurality of access behavior knowledge graph subareas and subarea distribution information of the plurality of access behavior knowledge graph subareas (illustratively, fusing the access behavior representing information and the subarea distribution information, if the access behavior representing information and the subarea distribution information are represented by vectors, the fusing can refer to superposition of vectors so as to obtain the area behavior representing information, in addition, the access behavior representing information can reflect data characteristics in the access behavior knowledge graph subareas, namely the mined key information, the subarea distribution information can reflect the distribution coordinates of the access behavior knowledge graph subareas in the access behavior knowledge graph subareas, and in addition, for the plurality of access behavior knowledge graph subareas, the access behavior representing information and the subarea distribution information of each access behavior graph subarea can be respectively subjected to serialization processing, namely, the multidimensional vector is converted into one-dimensional vector, and then superposed;

And performing salient feature mining processing on the regional behavior representation information of the multiple access behavior knowledge graph subregions according to a first salient feature analysis rule and a second salient feature analysis rule which are configured in advance by using the access security detection neural network model so as to output salient feature mining results corresponding to the access behavior knowledge graph regions.

Optionally, the step of performing, by using the access security detection neural network model, significant feature mining processing on the regional behavior representation information of the multiple access behavior knowledge graph subregions according to a first significant feature analysis rule and a second significant feature analysis rule that are configured in advance, so as to output significant feature mining results corresponding to the access behavior knowledge graph regions, in some detailed embodiments, includes the following:

performing salient feature mining processing on the regional behavior representation information of the multiple access behavior knowledge graph subregions according to a preconfigured first salient feature analysis rule, a data mapping processing rule and a threshold logic unit combination by using the access security detection neural network model so as to output candidate salient feature mining results corresponding to the multiple access behavior knowledge graph subregions;

And performing salient feature mining processing on candidate salient feature mining results corresponding to the plurality of access behavior knowledge graph subareas according to a pre-configured second salient feature analysis rule, a data mapping processing rule and a threshold logic unit combination by using the access security detection neural network model to output salient feature mining results corresponding to the access behavior knowledge graph subareas (illustratively, a processing procedure of performing salient feature mining processing according to the pre-configured second salient feature analysis rule, the data mapping processing rule and the threshold logic unit combination can be consistent with a processing procedure of performing salient feature mining processing according to the pre-configured first salient feature analysis rule, the data mapping processing rule and the threshold logic unit combination).

Optionally, the step of performing, by using the access security detection neural network model, saliency feature mining processing on the regional behavior representation information of the multiple access behavior knowledge graph subregions according to a preconfigured first saliency feature analysis rule, a data mapping processing rule and a threshold logic unit combination, so as to output candidate saliency feature mining results corresponding to the multiple access behavior knowledge graph subregions, in some detailed embodiments, includes the following:

Performing data mapping processing (such as mapping to interval 0-1) on the regional behavior representation information of the multiple access behavior knowledge graph subregions according to a pre-configured primary data mapping processing rule;

according to a preconfigured first saliency feature analysis rule, carrying out saliency feature mining on regional behavior representative information of a plurality of access behavior knowledge map subregions after data mapping processing to output corresponding to-be-processed saliency feature mining results (illustratively, the first saliency feature analysis rule comprises a non-variable detection frame, the access behavior knowledge map subregions can be further divided into a plurality of units with the same size, namely, a plurality of local key information is mined, then, each saliency feature is subjected to superposition and the like processing to obtain the to-be-processed saliency feature mining results, global key information can be fused to obtain the to-be-processed saliency feature mining results, wherein the specific mode of mining a plurality of local key information can refer to the related prior art, and is not specifically limited and described herein;

Analyzing and outputting corresponding fusion significance feature mining results according to the region behavior representing information of the multiple access behavior knowledge graph subregions and the significance feature mining results to be processed (illustratively, the region behavior representing information of the multiple access behavior knowledge graph subregions and the significance feature mining results to be processed can be overlapped to output the fusion significance feature mining results);

performing data mapping processing (such as mapping to interval 0-1) on the fusion significance feature mining result according to a pre-configured intermediate data mapping processing rule;

according to a pre-configured combination of threshold logic units, performing a logic operation on the fused salient feature mining result to output candidate salient feature mining results corresponding to the multiple access behavior knowledge graph sub-regions (that is, the primary data mapping processing rule, the first salient feature analysis rule, the intermediate data mapping processing rule and the threshold logic unit combination belong to the access safety detection neural network model, the fused salient feature mining results and the output data of the threshold logic unit combination can be overlapped to form candidate salient feature mining results corresponding to the multiple access behavior knowledge graph sub-regions, the threshold logic unit combination can comprise multiple threshold logic units which can be cascaded, and in addition, a corresponding input layer can be configured for each threshold logic unit, and in this way, the input layer configured for the latter threshold logic unit can be connected with the latter threshold logic unit, and in addition, the threshold logic unit can realize logical AND, OR, NOT, and the NOT, can be realized through different weights and thresholds, and the typical threshold logic unit can be used for learning, and the specific learning logic unit can be described by the specific processes and learning the specific learning logic unit.

Optionally, the step of performing a reverse processing of the significance feature mining on the significance feature mining results corresponding to the multiple access behavior knowledge spectrum areas to form updated access behavior knowledge spectrum areas corresponding to the multiple access behavior knowledge spectrum areas includes the following in some detailed embodiments:

aiming at one access behavior knowledge graph region (any access behavior knowledge graph region can be used, the processing procedures of the salient feature mining reverse processing of other access behavior knowledge graph regions can be consistent), the salient feature mining result of the access behavior knowledge graph region is subjected to the salient feature mining reverse processing so as to output behavior security identification information corresponding to a plurality of equipment access behavior clusters included in the access behavior knowledge graph region;

according to the behavior security identification information corresponding to the multiple device access behavior clusters included in the access behavior knowledge graph region, an updated access behavior knowledge graph region corresponding to the access behavior knowledge graph region is constructed, and the size of the graph object corresponding to each device access behavior cluster in the updated access behavior knowledge graph region reflects the corresponding behavior security identification information (for example, in other embodiments, the corresponding behavior security identification information may also be reflected based on other modes).

Optionally, the step of performing security analysis processing according to the updated access behavior knowledge spectrum regions corresponding to the multiple access behavior knowledge spectrum regions to output a region-level security analysis result corresponding to each access behavior knowledge spectrum region includes the following in some detailed embodiments:

for an updated access behavior knowledge spectrum region corresponding to the access behavior knowledge spectrum region (any access behavior knowledge spectrum region can be used, and the processing procedures of the security analysis processing of other access behavior knowledge spectrum regions can be consistent), counting the number of equipment access behavior clusters corresponding to each type of behavior security identification information in the updated access behavior knowledge spectrum region corresponding to the access behavior knowledge spectrum region as the corresponding number to be processed;

according to the number of the device access behavior clusters corresponding to each piece of the behavior security identification information to be processed, analyzing and outputting a regional behavior security analysis result corresponding to the access behavior knowledge graph region (for example, in one embodiment, the behavior security identification information corresponding to the device access behavior cluster with the largest number of the to-be-processed is used as the regional behavior security analysis result corresponding to the access behavior knowledge graph region, in other embodiments, different processing manners can also be used, and in addition, the behavior security identification information of one device access behavior cluster can be determined based on the number of the device access behaviors included in the device access behavior cluster and/or the concentration of the corresponding data object).

for an update access behavior knowledge graph region corresponding to the access behavior knowledge graph region, the processing procedure of security analysis processing of other access behavior knowledge graph regions may be consistent, according to the update access behavior knowledge graph region including relative distribution information among a plurality of device access behavior clusters, the update access behavior knowledge graph region including behavior security identification information corresponding to the plurality of device access behavior clusters is updated (that is, for one device access behavior cluster, the update access behavior knowledge graph region including behavior security identification information corresponding to other device access behavior clusters may be included according to the update access behavior knowledge graph region to which the update access behavior knowledge graph region belongs, for example, one update access behavior knowledge graph region includes a device access behavior cluster 1, a device access behavior cluster 2, a device access behavior cluster 3, and a device access behavior cluster 4, where the behavior security identification information corresponding to the device access behavior cluster 1 is a, the behavior security identification information corresponding to the device access behavior cluster 2, the device access behavior cluster 3, and the behavior security identification information corresponding to the device access behavior cluster 4 are B, and the behavior security identification information corresponding to the device access behavior cluster 1 may be updated, or the weighted and the like may be updated;

And analyzing and outputting a regional behavior security analysis result corresponding to the access behavior knowledge graph region according to the number of the equipment access behavior clusters (refer to the related description) corresponding to each piece of behavior security identification information in the updated access behavior knowledge graph region.

Optionally, the step of performing a behavioral safety analysis process on the access behavior knowledge graph according to the regional behavioral safety analysis result corresponding to each access behavior knowledge graph region to output a target behavioral safety analysis result corresponding to the access behavior knowledge graph as a target behavioral safety analysis result corresponding to the target government information network heterogeneous system, in some detailed embodiments, includes the following steps:

analyzing and outputting a region number ratio (namely a ratio of the region statistical number to the total number) corresponding to each region-level behavior security analysis result according to the region statistical number of the access behavior knowledge graph region corresponding to each (kind of) region-level behavior security analysis result;

and performing behavior safety analysis processing on the access behavior knowledge graph according to the region number ratio corresponding to each region-level behavior safety analysis result (for example, taking the region-level behavior safety analysis result with the largest region number ratio as a target behavior safety analysis result, or performing weighted summation calculation on each region-level behavior safety analysis result based on the corresponding region number ratio to obtain a corresponding target behavior safety analysis result), so as to output the target behavior safety analysis result corresponding to the access behavior knowledge graph as a target behavior safety analysis result corresponding to the target government information network heterogeneous system.

Optionally, the step of updating the access security detection neural network model includes, in some detailed embodiments, the following:

the method comprises the steps of taking access behavior intention data in an extracted typical access behavior knowledge graph as a processing basis, carrying out information extraction processing on the typical access behavior knowledge graph to form a plurality of typical access behavior knowledge graph areas corresponding to the typical access behavior knowledge graph, wherein the typical access behavior knowledge graph carries typical behavior safety analysis results, the access behavior intention data is obtained by analyzing equipment access behavior clusters in the typical access behavior knowledge graph, and a corresponding correlation relationship exists between the distribution state of the access behavior intention data and the times of the information extraction processing (refer to the related description in the foregoing);

analyzing and outputting typical behavior security identification information in each typical access behavior knowledge graph region according to region distribution information of the plurality of typical access behavior knowledge graph regions in the typical access behavior knowledge graph and a pre-configured behavior security identification information network, wherein the behavior security identification information network is used for reflecting the behavior security identification information of each graph region in the typical access behavior knowledge graph (for one typical access behavior knowledge graph region, the behavior security identification information corresponding to each device access behavior cluster of corresponding coordinates can be found in the behavior security identification information network based on the coordinates of the typical access behavior knowledge graph region in the typical access behavior knowledge graph);

Performing salient feature mining processing on the plurality of typical access behavior knowledge graph areas according to a first salient feature analysis rule and a second salient feature analysis rule which are configured in advance by utilizing an initial access security detection neural network model to be updated so as to output salient feature mining results (refer to the related description of the prior art) corresponding to the plurality of typical access behavior knowledge graph areas;

performing salient feature mining reverse processing on salient feature mining results corresponding to the plurality of typical access behavior knowledge graph regions to form typical update access behavior knowledge graph regions corresponding to the plurality of typical access behavior knowledge graph regions, wherein each typical update access behavior knowledge graph region carries behavior security identification information (refer to the related description);

performing security analysis processing according to the typical updated access behavior knowledge graph regions corresponding to the plurality of typical access behavior knowledge graph regions, so as to output a region-level behavior security analysis result corresponding to each typical access behavior knowledge graph region (refer to the related description above);

performing behavior security analysis processing on the typical access behavior knowledge graph according to the regional behavior security analysis result corresponding to each typical access behavior knowledge graph region so as to output a target behavior security analysis result corresponding to the typical access behavior knowledge graph (refer to the related description);

Updating the access security detection neural network model to be updated according to the behavior security identification information (i.e. the estimated behavior security identification information) carried in each typical updating access behavior knowledge graph region, the typical behavior security identification information in each typical access behavior knowledge graph region, the target behavior security analysis result (i.e. the estimated behavior security analysis result) of the typical access behavior knowledge graph and the typical behavior security analysis result, so as to obtain a corresponding access security detection neural network model.

Optionally, the step of updating the to-be-updated access security detection neural network model according to the behavior security identification information carried in each of the typical updated access behavior knowledge spectrum regions, the typical behavior security identification information in each of the typical access behavior knowledge spectrum regions, the target behavior security analysis result of the typical access behavior knowledge spectrum, and the typical behavior security analysis result to obtain a corresponding access security detection neural network model includes, in some detailed embodiments, the following steps:

analyzing and outputting corresponding safety result analysis errors (any error calculation mode is not particularly limited herein) according to the target behavior safety analysis result of the typical access behavior knowledge graph and the typical behavior safety analysis result;

and updating the access security detection neural network model to be updated according to the identification information analysis error and the security result analysis error (such as superposition to obtain a total analysis error, and updating based on the total analysis error) so as to obtain an access security detection neural network model corresponding to the access security detection neural network model to be updated.

Optionally, the step of analyzing and outputting a corresponding analysis error of the identification information according to the behavior security identification information carried in each of the typical updated access behavior knowledge graph regions and the typical behavior security identification information in the corresponding typical access behavior knowledge graph region includes the following in some detailed embodiments:

Analyzing and outputting corresponding first type identification information analysis errors according to a preset first error analysis function according to the behavior security identification information carried in each typical updating access behavior knowledge graph region and the typical behavior security identification information in the corresponding typical access behavior knowledge graph region; analyzing and outputting corresponding second type identification information analysis errors according to a second error analysis function which is preset according to the behavior safety identification information carried in each typical updating access behavior knowledge graph region and the typical behavior safety identification information in the corresponding typical access behavior knowledge graph region, wherein the second error analysis function is different from the first error analysis function (the specific function types of the second error analysis function and the first error analysis function are not limited as long as the second error analysis function is different from the first error analysis function);

the first type of identification information analysis error and the second type of identification information analysis error are fused (e.g., may be averaged) to output a corresponding identification information analysis error.

With reference to fig. 3, the embodiment of the invention further provides a heterogeneous security monitoring device based on the government information network, which can be applied to the heterogeneous security monitoring system based on the government information network. The heterogeneous safety monitoring device based on the government information network can comprise the following contents:

The system comprises a running log data extraction module, a target government information network heterogeneous system and a control module, wherein the running log data extraction module is used for respectively extracting running log data corresponding to each target government information processing device from each target government information processing device included in the target government information network heterogeneous system, the running log data comprises a plurality of corresponding device access behavior clusters formed based on device access behaviors received by the corresponding target government information processing device in a plurality of time periods, each device access behavior cluster comprises at least one device access behavior performed by at least one data access device in one time period, and the target government information network heterogeneous system comprises a plurality of target government information processing devices;

the knowledge graph construction processing module is used for carrying out knowledge graph construction processing on the equipment access behavior clusters according to the equipment correlation between the target government information processing equipment corresponding to the equipment access behavior clusters and combining the time correlation between the time periods corresponding to the equipment access behavior clusters so as to form all the access behavior knowledge graphs corresponding to all the equipment access behavior clusters included in all the operation log data;

the behavior safety analysis processing module is used for performing behavior safety analysis processing on the access behavior knowledge graph by utilizing the access safety detection neural network model so as to determine a target behavior safety analysis result corresponding to the target government information network heterogeneous system, wherein the target behavior safety analysis result is used for reflecting the system network safety degree of the target government information network heterogeneous system.

In summary, according to the heterogeneous security monitoring method and system based on the government affair information network provided by the invention, firstly, corresponding operation log data are respectively extracted from each target government affair information processing device; according to the device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters included in the operation log data, and combining the time correlation relationship between the time periods corresponding to the device access behavior clusters, carrying out knowledge graph construction processing to form access behavior knowledge graphs corresponding to all the device access behavior clusters included in the operation log data; and performing behavior security analysis processing on the access behavior knowledge graph by using the access security detection neural network model so as to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system. Based on the steps, all equipment access behaviors included in the target government information network heterogeneous system are integrated through the knowledge graph, so that the analysis basis is sufficient, the reliability of behavior safety analysis can be improved to a certain extent, and the problem of low reliability of behavior safety analysis in the prior art is solved.

The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A heterogeneous security monitoring method based on a government information network is characterized by comprising the following steps:

Performing behavior security analysis processing on the access behavior knowledge graph by using an access security detection neural network model to determine a target behavior security analysis result corresponding to the target government information network heterogeneous system, wherein the target behavior security analysis result is used for reflecting the system network security degree of the target government information network heterogeneous system;

the step of performing knowledge graph construction processing on the device access behavior clusters according to the device correlation relationship between the target government information processing devices corresponding to the device access behavior clusters and in combination with the time correlation relationship between the time periods corresponding to the device access behavior clusters to form all access behavior knowledge graphs corresponding to all device access behavior clusters included in all the running log data comprises the following steps:

2. The heterogeneous security monitoring method based on a government information network as claimed in claim 1, wherein the step of extracting the operation log data corresponding to each target government information processing device from each target government information processing device included in the heterogeneous system of the target government information network includes:

3. The heterogeneous security monitoring method based on government information network as claimed in claim 1 or 2, wherein the step of performing behavioral security analysis processing on the access behavioral knowledge graph by using an access security detection neural network model to determine a target behavioral security analysis result corresponding to the target government information network heterogeneous system includes:

4. The heterogeneous security monitoring method based on government information network as claimed in claim 3, wherein the step of extracting information from the access behavior knowledge graph by using the access behavior intention data in the access behavior knowledge graph as a processing basis to form a plurality of access behavior knowledge graph regions corresponding to the access behavior knowledge graph comprises the following steps:

5. The heterogeneous security monitoring method based on government information network as claimed in claim 3, wherein the step of performing a behavioral security analysis process on the access behavior knowledge graph according to the regional behavioral security analysis result corresponding to each access behavior knowledge graph region to output a target behavioral security analysis result corresponding to the access behavior knowledge graph as a target behavioral security analysis result corresponding to the heterogeneous system of the target government information network includes:

6. The government information network-based heterogeneous security monitoring method of claim 3 wherein the step of updating the access security detection neural network model includes:

7. The heterogeneous security monitoring method based on government information network as claimed in claim 6, wherein the step of updating the access security detection neural network model to be updated according to the behavior security identification information carried in each of the typical updated access behavior knowledge graph regions, the typical behavior security identification information in each of the typical access behavior knowledge graph regions, the target behavior security analysis result of the typical access behavior knowledge graph, and the typical behavior security analysis result to obtain a corresponding access security detection neural network model includes:

8. The heterogeneous security monitoring method based on government information network as claimed in claim 7, wherein the step of analyzing and outputting corresponding analysis errors of the identification information according to the behavior security identification information carried in each of the typical updated access behavior knowledge-graph regions and the typical behavior security identification information in the corresponding typical access behavior knowledge-graph region includes:

9. A heterogeneous security monitoring system based on a government information network, comprising a processor and a memory, the memory for storing a computer program, the processor for executing the computer program to implement the method of any of claims 1-8.